Automatic correlation of dynamic system events within computing devices

ABSTRACT

Systems and methods are described herein for logging system events within an electronic machine using an event log structured as a collection of tree-like cause and effect graphs. An event to be logged may be received. A new event node may be created within the event log for the received event. One or more existing event nodes within the event log may be identified as having possibly caused the received event. One or more causal links may be created within the event log between the new event node and the one or more identified existing event nodes. The new event node may be stored as an unattached root node in response to not identifying an existing event node that may have caused the received event.

RELATED APPLICATIONS

This application claims priority to and is a continuation of U.S. patentapplication Ser. No. 16/871,757, filed on May 11, 2020, and entitled“Automatic Correlation of Dynamic System Events Within ComputingDevices,” which is a continuation of and claims priority to U.S. patentapplication Ser. No. 16/434,039 filed Jun. 6, 2019 and entitled“Automatic Correlation of Dynamic System Events Within ComputingDevices,” which is a continuation of and claims priority to U.S. patentapplication Ser. No. 15/385,826, filed Dec. 20, 2016 and entitled“Automatic Correlation of Dynamic System Events Within ComputingDevices,” which is a continuation of and claims priority to U.S. patentapplication Ser. No. 14/958,134, filed Dec. 3, 2015 and entitled“Automatic Correlation of Dynamic System Events Within ComputingDevices,” which is a continuation of and claims priority to U.S. patentapplication Ser. No. 13/719,129 filed Dec. 18, 2012 and entitled“Automatic Correlation of Dynamic System Events Within ComputingDevices.” The entire contents of the above-identified priorityapplications are hereby fully incorporated herein by reference.

TECHNICAL FIELD

The present disclosure relates generally to system logs withinelectronic computing devices.

BACKGROUND

System logs are valuable tools for administrators. Examining system logsmay help diagnose the cause of system problems. Manually determiningwhich log entries relate to a given problem, however, is in general achallenging, cumbersome, and error prone endeavor.

It might take many hours to sort through hundreds, thousands, ormillions of unique log entries to identify those that pertain to theissue being investigated. Once the relevant messages are identified, itrequires expertise on the part of the administrator to effectively parsethe logs to understand the cause and effect relationships between therecords. The process often requires expertise with tools, such as textfile sorting and searching programs and scripts. The process is alsoprone to error. If the administrator inadvertently discounts a singlelog entry that represents an important event relating to the problem,the conclusion of the analysis will usually be incorrect or incomplete.Administrators often fail to correlate important events that relate to aproblem, leaving the diagnosis of the problem incomplete.

These system log analysis challenges tend to increase as devices becomemore and more complex. Some complex systems, such as network routing andswitching equipment, may log thousands of unique system events. It isnearly impossible for an administrator to fully understand what each logentry indicates and how each event might be linked to one another.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram depicting an event logging system inaccordance with one or more example embodiments presented herein.

FIG. 2 is a data structure diagram depicting a system event logpopulated by event nodes in accordance with one or more exampleembodiments presented herein.

FIG. 3 is a data structure diagram depicting a tree-like graphcomprising event nodes interrelated by causal linkages in accordancewith one or more example embodiments presented herein.

FIG. 4 is a block flow diagram depicting a method for logging eventswithin a system event log in accordance with one or more exampleembodiments presented herein.

FIG. 5 is a block flow diagram depicting a method for deleting an eventnode from a system event log in accordance with one or more exampleembodiments presented herein.

FIG. 6 is a block flow diagram depicting a method for providing userinterface to a system event log in accordance with one or more exampleembodiments presented herein.

FIG. 7 is a block diagram depicting a computing machine and a module inaccordance with one or more example embodiments presented herein.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

Overview

The methods and systems described herein enable logging system eventswithin an electronic machine using an event log structured as acollection of tree-like graphs. Information regarding an event to belogged may be received. A new event node may be created within the eventlog for the received event information. One or more existing event nodeswithin the event log may be identified as having possibly caused thereceived event. One or more causal links may be created within the eventlog between the new event node and the one or more identified existingevent nodes. The new event node may be stored as an unattached root nodein response to not identifying an existing event node that may havecaused the received event.

The functionality of the various example embodiments will be explainedin more detail in the following description, read in conjunction withthe figures illustrating the program flow. Turning now to the drawings,in which like numerals indicate like (but not necessarily identical)elements throughout the figures, example embodiments are described indetail.

Example System Architectures

FIG. 1 is a block diagram depicting an event logging system 100 inaccordance with one or more example embodiments presented herein. Theevent logging system 100 includes a subject device 120 where an eventlogging module 130 may operate to create and maintain a system event log105. The system event log 105 can receive information about systemevents to be logged. Each event to be logged may be represented as anevent node 110 within a tree-like structure. An administrator 150 canaccess the system event log 105 associated with the subject device 120.The system event log 105 may overflow to, or be backed up upon, a systemfor archive storage 140. The subject device 120, system for archivestorage 140, and system for the administrator 150 may each be in directcommunication with the others, or communication may be support by anetwork 160.

The methods and systems described herein may enable automaticdetermination of relationships among system log events generated withinthe subject device 120. The events may be, for example, anythingoccurring within, or to, the subject device 120 that may be logged intothe system event log 105. Example events may include power up, powerdown, inputs, outputs, errors, warnings, failures, configurationchanges, user actions, overflows, timeouts, and so forth. The type ofevents that may be logged may generally be determined by the design andoperation of a given subject device 120.

Relationships among the system events may be used to generate graphicalrepresentations of the cause and effect linkages between the systemevents. Alternatively, the cause and effect linkages may also berepresented textually. The graphical or textual cause and effectlinkages may be helpful to an administrator of the computing device.Understanding a series of cause and effect system events may clarify aspecific issue under investigation by the administrator.

System events and their relationship linkages may be represented astree-like structures. The events may also be stored in tree-like datastructures. Within these structures, the nodes can represent systemevents and the links between the nodes can represent cause and effectrelationships between the nodes events. The relationships for nodes canbe dynamically determined as events occur. This may be possible evenwhere the relationships between node types are not specified in advance.The tree-like structures may be used to visualize chains of eventsillustrating stories of cause-and-effect events within the device orsystem being evaluated.

By determining and recording the cause-effect relationship betweendistinct system events, a device can display a history of what eventsled up to a specific problem within the device. Accordingly, anadministrator may quickly receive indication of one or more most likelyscenarios that may have led to a specific system situation. This canallow the administrator to rapidly take educated action toward systemrepairs or loss/failure mitigation.

The technology presented herein may be used to correlate events on asingle computing device and may be used to diagnose a problem on thecomputing device. The tree-based structure may be used to link not justa single cause and a single event, but can capture the cause and effectrelationship between many different correlated events. These complexrelationship graphs can illustrate chains of events resulting inparticular outcomes. A number of factors may be used to automaticallydetermine how events may be correlated. Pre-defined correlation rulesmay not be required to perform the analysis. As such, the computingdevice may expand event logging to new types of events within the systemwithout specifying how such new event types may relate to all existingevents.

A unique approach for determining which events generally continue tocause effects downstream may be used to manage finite storage resources.The system may intelligently delete events from the log that are lesslikely to be a cause for an event in the future.

Various example embodiments involving network routing and switchingdevices as the subject device 120 may be discussed throughout thisdisclosure. It should be appreciated however that the subject device 120may be any computing system or computing device where system eventsregarding the operation of the subject device 120 may be logged. Inexamples where the subject device 120 is a piece of networkingequipment, logged events might be created by the subject device 120 whencables are connected or disconnected at interface ports, routingrelationships are established or broken, or configuration changes aremade through a management interface.

The administrator 150 may be a computing system for use by a humanoperator or system administrator. The administrator 150 may interface tothe subject device 120 either directly or through one or more networks160. The administrator 150 can interface with the subject device 120through a textual interface, a graphical interface, or a combinationthereof to access information associated with the system event log 105.According to one or more example embodiments, the administrator 150 mayinclude a browser, such as a web browser, operable to displayinformation from the subject device 120, where the subject device 120may be operable to render hypertext, or other web-like, content to theadministrator 120 for access to information associated with the systemevent log 105.

The archive storage 140 may comprise an external storage device such asa hard drive, non-volatile memory, optical storage, magnetic storage,solid-state storage, any other data storage technology, or anycombination thereof. The archive storage 140 may be directly attached tothe subject device 120 or may be a connected via a network 160 or otherinterface as a data storage server, database system, network attachedstorage (“NAS”), data backup system, or so forth. The archive storage140 may be used to offload storage of the system event log 105, entirelyor in part, from the subject device 120 in the case of an overflow ofthe memory or storage within the subject device 120, as a back-upmechanism, or any combination thereof.

The subject device 120, the system for archive storage 140, the systemfor the administrator 150, and any other computing device associatedwith the technology presented herein may each comprise the exampleembodiments of a computing machine as presented below. Furthermore, theevent logging module 130 may serve as one or more modules as discussedwith respect to that example computing machine, and the network 160 mayserve as the various networking examples discussed with respect to thatexample computing machine.

In exemplary embodiments, the network 160 may include wide area networks(WAN), local area networks (LAN), intranets, the Internet, wirelessaccess networks, wired networks, mobile networks, cellular networks,telephone networks, optical networks, or combinations thereof. Thenetwork 160 may be packet switched, circuit switched, of any topology,and may use any communication protocol. Communication links within thenetwork 160 may involve various digital or analog communication media,such as fiber optic cables, free-space optics, waveguides, electricalconductors, wireless links, antennas, radio-frequency communications,and so forth.

FIG. 2 is a data structure diagram depicting a system event log 105populated by event nodes 110A-110D in accordance with one or moreexample embodiments presented herein. Event entries in the system eventlog 105 may be represented as event nodes 110A-110D. The event nodes110A-110D may be referred to collectively or generically as event nodes110. When a system event occurs within the subject device 120, a newevent node 110 representing that specific event instance may be createdwithin the system event log 105. Linking these event nodes 110 togetheraccording to possible cause and effect relationships may develop atree-like graph structure where the nodes of the graph are event nodes110 and the links of the graph are relationships.

When an event node 110 is created, the event node 110 may be flagged asone of three types. These event node types may be causal-only,cause-and-effect, and effect-only. A causal-only event node 110, such asevent node 110A, can represent an event that may not be triggered byanother event. The causal-only event node, such as event node 110A, canserve as the root of a tree-like graph where the nodes are event nodes110.

A cause-and-effect event node 110, such as event nodes 110B-110C, canrepresent an event that may possibly have been caused by another eventor may possibly cause other events. One cause-and-effect event node mayhave another cause-and-effect event node as its parent. For example,event node 110C has event node 110B as its parent when both event nodes110B and 110C are cause-and-effect event nodes.

An effect-only event node 110, such as event node 110D, can represent anevent that can only be caused by another event and may not cause otherevents. An effect-only event node, such as event node 110D can serve asa leaf in the tree-like graph of event nodes 110.

Since causes must occur before their effects, the time ordering of eventnodes 110 may be useful in establishing cause and effect relationships.A tree-like graph of event nodes 110 may generally contain events thathappened at later times as the tree is traversed away from the root nodetowards the leaf nodes. In the illustrated example, the event nodes 110are arranged from left to right according to the positive progression oftime as shown by the time domain arrow.

In one or more example embodiments, the subject device 120 may be anetwork switching or routing device. In such a system, examples ofcausal-only event nodes, such as event node 110A, might include aninterface going down, system memory being filled, a process beingkilled, or a power supply failing. An example of a cause-and-effectevent node, such as event node 110B or 110C, may represent a specificrouting table entry being removed from use. Such an event must have acause and could also have an effect on traffic handling through thesubject device 120. For example, the loss of the routing table entry mayresult in a packet being dropped or telnet access to the subject device120 being denied. Such resultant events may be represented aseffect-only nodes such as event node 110D.

FIG. 3 is a data structure diagram depicting a tree-like graphcomprising event nodes 110A-110D interrelated by causal linkages310A-310C in accordance with one or more example embodiments presentedherein. Each event node 110 may be populated with information fieldsdescribing the specific system event that occurred. The informationassociated with the event node 110 can include a description of theevent, categorical information associated with the event, and atimestamp of the event. These information fields may be analyzed toautomatically correlate and interconnect the event nodes 110 with causallinkages 310A-310C. The causal linkages 310A-310C may be referred tocollectively or generically as causal linkages 310. The causal linkages310 can represent the cause-effect relationships between the event nodes110. Through analysis of the information fields of the event nodes 110,the causal linkages 310 may be determined dynamically for the eventnodes 110, where dynamic determination may imply that the relationshipsbetween node types may not be specified or known in advance. Instead,dynamic determination may classify the relationships on the fly asevents occur and event nodes 110 are added to the system event log 105.

The information associated with an event node 110 can include adescription of the event. The description may be plain human-readabletext. Each instance of a given type of event may likely have the samedescription. Within the generic text, placeholders allow insertion ofinformation specific to a given instance. For example, the descriptionfor event node 110B is illustrated as “Routing process number 90, Port10 on outside interface down.” The generic text includes “Routingprocess number [XXXX], Port [XXXX] on [XXXX] interface down.” While theadditional specific information includes the process number “90,” theport “10,” and the interface designator “outside.”

The information associated with an event node 110 can include a list ofcategories, or categorical information about the event. The categoriesmay be used to establish how event nodes 110 are related and thus how tolink them into the tree-like graph associated with the system event log105. In certain example embodiments, an event can have two types ofcategories.

The first type of categories is intrinsic categories. All events of adistinct type may have the same list of intrinsic categories. Theseintrinsic categories can specify the general intrinsic information aboutthe event that took place as that information applies to every instanceof that event. For example in the networking context, an event for lossof a routing peer relationship between a router and its routing peer mayhave the intrinsic category of “routing.” When a peer relationship islost, it may generally affect the routing capabilities of the subjectdevice 120.

The second type of categories is contextual categories. Events maycontain various contextual information entries related to the particularevent. In the networking example, such contextual categoricalinformation may include addresses, subnets, usernames, and so forth.These information entries may be dynamic and could change with eachinstance of the event. Such information may be useful within the list ofcategories to determine the linkages between event nodes 110. Contextualcategories may be referred to as such because the information saved tothe event may be variable as derived from the context of the particularsituation in which the event occurred.

Within the categories for the illustrated example, intrinsic categoriesare shown in non-italicized text, while contextual categories are shownin italicized text. Also, examples of matching between the categoriesmay be noted. The categories “routing” and “outside” are matched betweenevent node 110A and event node 110B. The categories “routing,”“outside,” and “Port 10” are matched between event node 110B and eventnode 110C. The categories “routing” and “Address 45” are matched betweenevent node 110C and event node 110D. Identification of these matchingcategories may be used as a factor for assigning correlation betweenevent nodes 110 and thus connecting the event nodes 110 by causallinkages 310.

A timestamp may be associated with each event node 110. The timestampmay indicate the time that the event node 110 was created and thus whenthe associated event occurred. A second time entry may be added to eachevent node 110 to indicate the time of its last use. The last useindicator may be used when deleting or removing event nodes 110 from thesystem event log 105 as presented in additional detail below.

When an event node 110 has been created within the subject device 120,it may be determined if that event node 110 might be correlated to otherevent nodes 110 that have previously occurred using the subject device120. A robust and accurate algorithm may be used for determining thecorrelation between event nodes 110. Three dimensions of factors may beevaluated to determine if two event nodes 110 are correlated and thusshould be connected by a causal linkage 310. The three correlationfactors may include time, cause/effect designations, and categories.

The first correlation factor may include timestamp evaluation. For a newevent node 110 to be linked to an existing event node 110, the new eventnode 110 must have been created after the existing event node 110. Thenotion of one event occurring after another event may be indicated bythe new event node 110 having a strictly later (not equal) timestampthan the existing event node 110. In the illustrated example, event node110D has a later timestamp than event node 110C, which has a latertimestamp than event node 110B, and so on. It should be appreciated thatin some embodiments granularity of the timestamp may cause two or moreevents to have the same timestamp even though one event occurredslightly after the other event. In such embodiments, equal timestampsmay be accepted as still allowing a causal relationship.

The second correlation factor may include cause/effect designation. Forexample, cause-only event nodes 110 may be immediately added to thesystem event log 105 forming the root of a new graph. Cause-and-effectevent nodes 110 and effect-only event nodes 110 may be compared againstexisting nodes in the system event log 105 to determine the bestexisting tree-like structure, if any, to attached the new event node110.

The third correlation factor may include matching event node categories.To be considered as related, event nodes 110 may be required to shareone or more categories (either contextual or intrinsic). The morecategories shared to by event nodes 110, the more likely correlated theyare.

It should be appreciated that two categories being shared may meandifferent things for different types of information. For some types ofinformation, matching may require a proper exact match, but for othertypes of information, inclusion within a range or subset may suffice formatching. For example, an IP network address may be considered matchedon a subnet basis. An event node 110 that contains the contextual IPsubnet category “192.168.1.0/24” may be considered matched to anotherevent node 110 having the IP subnet category of “192.168.1.4” since thetwo subnets overlap. If the two subnets did not overlap, the twocategories would generally not be used to increase a correlation metricbetween the two event nodes 110.

The correlation factors may be used to establish a cause-and-effectrelationship between event nodes 110. A newly created event node 110 maybe compared against the other existing event nodes 110 in the systemevent log 105. In general, the new event node 110 may be correlated toan existing event node 110 when the new event node 110 is created afterthe event node 110 being compared, the new event node 110 could be aresulting effect of the event node 110 being compared, and the new eventnode 110 has categorical overlap with the node being compared.

When determining if event nodes 110 are correlated, several factors maybe used, resulting in a range of possible results. These results may becompared to a threshold to determine if a causal linkage 310 should becreated or not. According to other embodiments, a range of values forthe results may be used for describing each causal linkage 310 by itscorrelation metric. The correlation metrics may also be referred to asprobability of correlation, link likelihood, graph weights, or any othersuch terminology. It may be useful to display a representation of thelevel of correlation detected between two event nodes 110. Theadministrator may then take into account the confidence or likelihood ofthe causal linkage 310 between two event nodes 110 when interpreting thegraph representations of the system event log 105.

According to one or more examples, the confidence of the causalrelationship between two event nodes 110 may be visualized in agraphical representation. When the administrator clicks on an event node110, the paths of event nodes 110 from that node to the root node may bedisplayed. The degree of correlation between nodes may be visualized byplacing numerical values on the causal linkage 310 representations or bychanging the size of the causal linkage 310 representations between theevent nodes 110. According to other examples, when there are a greaternumber of shared categories between two event nodes 110, the causallinkage 310 between those two event nodes 110 may be rendered thicker orin different colors.

If an event node 110 being examined has more than one parent node, allpossible paths to the different root event nodes may be displayed to theadministrator. The administrator may employ their judgment and commonsense when considering which event path of event nodes 110 could be thecause of the event they being investigated.

When an event node 110 is added to an existing tree-like graph, allevent nodes 110 between the new event node 110 and the root node mayhave their last used indicator refreshed. Refreshing the last usedindicator designates that all event nodes 110 involved in the path tothe root have caused an effect event. The last used indicator may beuseful when determining which event nodes 110 to delete from the systemevent log 105 to free up memory space.

Once the system event log 105 is populated with event trees, anadministrator can browse through the different trees by clicking onparent or child event nodes 110, or optionally search through the eventnodes 110 for text matches in the descriptions or categories associatedwith the event nodes 110. When event nodes 110 of interest are selected,the selected event node 110 may be highlighted with the informationrelating to that node displayed. All of the event nodes 110 between thatevent node 110 and the root node may also be displayed. This display canillustrate the history of the cause-effect relationship between theevents related to the event nodes 110 in the tree-like graph. This eventhistory can provide the administrator with an easy to interpret causallinkage of events that led up to the creation of the selected event node110.

Ether a specific or dynamic amount of memory may be allocated for thesystem event log 105 within the subject device 120. Either way, theamount of space for the system event log 105 will generally be finiteand eventually the memory for the system event log 105 may fill up asmore event nodes 110 are generated over time.

The following deletion protocol may be used for efficiently removingevent nodes 110 from the system event log 105. The effect-only node withthe oldest last used indicator may be removed first. If no effect-onlynodes remain in the system event log 105, the cause-and-effect node withthe oldest last used indicator may be removed. Lastly, if neitherexists, the causal-only node with the oldest last used indicator may beremoved. This protocol can avoid deleting event nodes 110 that may beconsidered more currently relevant than other event nodes 110. When anevent node 110 is added to the system event log 105, the last usedindicators can be refreshed on all event nodes 110 in the path from thenew event node 110 to the root event node 110. Event nodes 110 that havenot been linked to in a cause-effect relationship recently may be morelikely to be less important, or relevant, to this system event log 105than event nodes 110 that were recently linked to thus having their lastused indicator refreshed.

The memory space used for each event node 110 may be estimated for givencharacterizes of the system event log 105 and the subject device 120.The following values are example of possible memory space allocationsaccording to one or more example embodiments. It should be appreciatedthat other space allocations may be used without departing from thespirit or scope of the technology presented herein. An event node 110may fit within a block of 512 bytes comprising a description of 256bytes, a category list of 200 bytes (40 bytes for intrinsic categoriesand 160 bytes for contextual categories), an event identifier of 10bytes, up to three parent event identifiers of 30 bytes, a last usedindicator timestamp of 8 bytes (resolving time since epoch inmilliseconds), and an origination timestamp of 8 bytes (resolving timesince epoch in milliseconds). Intrinsic categories may be placed in atable that maps a one-byte value to a specific intrinsic category.Allocating 40 bytes for intrinsic categories in each event node 110 canallow for up to forty intrinsic categories per event node 110.

Using event nodes 110 sized at 512 bytes, the system event log 105 canstore 2000 events in each megabyte of memory or 2,000,000 events in eachgigabyte of memory. Furthermore, event nodes 110 may be saved off toarchive storage 140 to provide additional space. At the direction of theadministrator, the entire event system event log 105 could be archivedperiodically, or individual event nodes 110 could be archived as theyare deleted from the active system event log 105.

Moving event nodes 110 off to archive storage 140 may also use eventnodes 110 sized at 512 bytes along with an IPv6 address for anallocation of about 1024 bytes per archived event node 110. Assumingcreation of one million event nodes 110 per day, a 1 TB drive used asarchive storage 140 may store approximately three years' worth of systemevent log 105 archives.

When several event nodes 110 are created at once, the computation effortto correlate and organize those new event nodes into tree-like graphsmay tax system operations and impact performance. Delaying thecomputation of the cause-effect relationships and causal linkages 310between the event nodes 110 may mitigate such impact. For example, asevents occur, entries may be added to an event cache queue. A secondaryprocess may be responsible for creating event nodes 110 for those eventsas well as computing the causal linkages 310 between the event nodes 110as resources permit. This secondary process may be a lower priorityprocess or may execute as a background operation. The secondary processmay also delete or expire existing event nodes 110 as necessary.

Example System Processes

According to methods and blocks described in the example embodimentspresented herein, and, in alternative embodiments, certain blocks can beperformed in a different order, in parallel with one another, omittedentirely, and/or combined between different example methods, and/orcertain additional blocks can be performed, without departing from thescope and spirit of the invention. Accordingly, such alternativeembodiments are included in the invention described herein.

FIG. 4 is a block flow diagram depicting a method 400 for logging eventswithin a system event log 105 in accordance with one or more exampleembodiments presented herein.

In block 410, a system event log 105 may be initialized by an eventlogging module 130 to represent system events and their relationshiplinkages as tree-like graphs. The events may also be stored in tree-likedata structures. Within these structures, the event nodes 110 canrepresent system events and the links between the nodes can representcausal linkages 310 of cause and effect relationships between the eventnodes 110. The relationships for nodes can be dynamically determined asevents occur. The tree-like structures may be used to visualize chainsof events illustrating histories of cause-and-effect events within thesubject device 120 being evaluated. Two or more tree-like graphs may becollectively referred to as a forest of tree-like graphs.

In block 420, the event logging module 130 may receive informationregarding an event to be logged within the system event log 105. Eventsmay be logged without pre-defined correlation of events or event types.Accordingly, the subject device 120 may expand event logging to newtypes of events within the subject device 120 without specifying howsuch new event types may relate to previous existing events.

In block 430, the event logging module 130 may create a new event node110 associated with the event received in block 420. The event node 110may include various informational fields. For example, a descriptionfield may include plain human-readable text representing a descriptionof the event. Similarly, one or more category fields may include a listof categories, or categorical information about the event. A first typeof categories may include intrinsic categories. All events of a distincttype may have the same list of intrinsic categories. These intrinsiccategories can specify the general intrinsic information about the eventthat took place as that information applies to every instance of thattype of event. A second type of categories may include contextualinformation that can vary as derived from the context of the particularsituation in which the event occurred.

Another example field associated with the event node 110 may include atime stamp indicating the time that the event node 110 was created andthus when the associated event occurred. A second time entry may beadded to each event node 110 to indicate the time of its last use orassociation with a newly added event.

Yet another example field associated with the event node 110 may includean event identifier. The event identifier may be useful to uniquelyidentifying an event node 110. Event identifiers may be numbers or othervalues and may be allocated sequentially, randomly, borrowed from apool, or so forth. The identifiers may also be memory locations orpointers of the associated event node 110 or associated data. The eventidentifier may be used to uniquely record the causal linkages 310 of theevent nodes 110 by storing a list, within each event node 110, of eventidentifiers that are associated with parents and/or children of theevent node 110 as determined by the tree-like cause and effectstructure.

As a new event node 110 is being created, storage requirements withinthe system event log 105 may require deleting an existing event note 110to free space for the newly created event node 110. The amount of spacefor the system event log 105 will generally be finite and eventually thememory for the system event log 105 may fill up as more event nodes 110are generated over time. A deletion protocol may be used for efficientlyremoving event nodes 110 from the system event log 105.

In block 440, the event logging module 130 may determine a cause/effecttype for new event node 110 created in block 430. Each event node 110may be flagged as one of three types. These event node types may becausal-only, cause-and-effect, and effect-only. A causal-only event node110 can represent an event that may not be triggered by another eventand may serve as the root of a tree-like graph where the nodes are eventnodes 110. A cause-and-effect event node 110 can represent an event thatmay possibly have been caused by another event or may possibly causeother events. An effect-only event node 110 can represent an event thatcan only be caused by another event and may not cause other events.

In block 450, the event logging module 130 may determine if the newevent node 110 created in block 430 is a causal-only type. If it isdetermined in block 450 that the new event node 110 is a causal-onlytype, the method 400 may continue to block 460. In block 460, the eventlogging module 130 may store new node cause-only event node 110 into thesystem event log 105 as an unassociated root node of a new tree-likegraph. After block 460, the method 400 may continue to block 490discussed below.

If instead, it is determined in block 450 that the new event node 110 isnot a causal-only type, the method 400 may continue to block 470. Inblock 470, the event logging module 130 may identify an existing eventnode 110 within the system event log 105 having the best matchedcategories to the new event node 110 created in block 430. Throughanalysis of the information fields of the event nodes 110, the causallinkages 310 may be determined dynamically for the event nodes 110.Dynamic determination may classify the relationships on the fly asevents occur and event nodes 110 are added to the system event log 105.The events may be logged without pre-defined correlation. A robust andaccurate algorithm may be used for determining the correlation betweenevent nodes 110. Correlation factors may be evaluated to determine iftwo event nodes 110 are correlated and thus should be connected by acausal linkage 310. The correlation factors may include time,cause/effect designations, and categories, for example.

To limit computational complexity and improve time performance, amaximum time window may be specified that may pass between two eventsfor them to be considered related, thus reducing the number of existingevent nodes 110 that need to be investigated as a potential cause forthe newly created event node. For example, only existing event nodes inthe system event log 105 that are less than a certain amount of time oldmay need to be evaluated. According to some example embodiments, thatamount of time may be three minutes. Three minutes is an example timewindow; any duration of window may be specified for evaluation accordingto various embodiments. Also, the duration of the examination window maybe dynamic based upon various system parameters such as frequency ofevents, number of events, processor loading, and so forth.

In block 480, the event logging module 130 may logically link the newevent node as a child of the identified existing event node from block470. The logical link may be marked using event identifiers thatuniquely identify each event node 110. The event identifier may be usedto uniquely record the causal linkages 310 of the event nodes 110 bystoring a list, within each event node 110, of event identifiers thatare associated with parents and/or children of the event node 110 asdetermined by the tree-like cause and effect structure.

When it was not determined exactly which previous event caused thecurrent event, or when it appears that more than one previous event mayhave contributed to the current event, the new event node 110 may belinked to multiple parent events nodes 110. A limit or maximum may bespecified for the number of multiple linkages according to variousembodiments. For example, a maximum may be set such that the new eventnode 110 may be linked to, at most, three (or some other number)possible parent event nodes 110. Because there could be more than themaximum number of potential causal events found for the new event, theremay be an algorithm defined to find the best potential causes for thenew event. The time difference between a cause and effect may be astrong indicator of correlation especially in conjunction with at leastone matching intrinsic category. As such, those causes that have amatching intrinsic category that occurred closest in time to the effectevent may be selected and linked as the best potential causes of the newevent.

In block 490 the event logging module 130 may refresh the last usedtimestamp parameters of that existing event nodes linked to new eventnode. When an event node 110 is added to an existing tree-like graph,all event nodes 110 between the new event node 110 and the root node mayhave their last used indicator refreshed. Refreshing the last usedindicator designates that all event nodes 110 involved in the path tothe root have a causal role in the new event.

After block 490, the method 400 ends. Of course logging events within asystem event log 105 may continue according to repeated application ofmethod 400

FIG. 5 is a block flow diagram depicting a method 500 for deleting anevent node 110 from a system event log 105 in accordance with one ormore example embodiments presented herein. Among other exampleembodiments, event node deletion may comprise a two-phase age-outmechanism. In a first phase, all effect-only event nodes that are notattached to any parent nodes 110 may be removed starting first withthose event nodes 110 having the oldest last use timestamp. In a secondphase, remaining effect-only event nodes may be removed starting firstwith those nodes having the oldest last use timestamp. In the secondphase, any identified effect-only node will have at least one parentnode. All such parent nodes having the same last-update timestamp as theidentified effect-only node may also be removed. These parent nodesinclude all those up the chain to, and including, the root node.

This means, if the oldest effect-only node in the tree has one parent (acause-effect node), and that has only one parent (a cause-onlynode—which is also a root node), then they would all have the samelast-updated timestamp, and all three would be removed at the same time.

In block 510, the event logging module 130 can identify the effect-onlynode within the system event log 105 having the oldest last usedindicator and no parent nodes. If an effect-only node without parents isnot identified, then the effect-only node with the oldest last usedindicator may be identified. In certain exemplary embodiments, alleffect-only nodes without parent nodes can be identified before anyeffect-only nodes without parent nodes.

In block 520, it can be determined if an effect-only node was identifiedin block 510. If an effect-only node was identified in block 510, themethod 500 may continue to block 560. If however, an effect-only nodewas not identified in block 510, the method 500 may continue to block530.

In block 530, the event logging module 130 can identify thecause-and-effect node with the oldest last used indicator and no parentnodes. If a cause-and-effect node without parents is not identified,then the cause-and-effect node with the oldest last used indicator maybe identified. In certain exemplary embodiments, all cause-and-effectnodes without parent nodes can be identified prior to identifying anycause-and-effect nodes with parent nodes.

In block 540, it can be determined if a cause-and-effect node wasidentified in block 530. If a cause-and-effect node was identified inblock 530, the method 500 may continue to block 560. If however, acause-and-effect node was not identified in block 530, the method 500may continue to block 550.

In block 550, the event logging module 130 can identify the causal-onlynode with the oldest last used indicator. Through block 510-550, theleast recently used effect-only node may be identified (givingpreference, in certain example embodiments, to those without parentnodes). If no effect-only nodes remain in the system event log 105, theleast recently used cause-and-effect node may be identified (givingpreference, in certain example embodiments, to those without parentnodes). Lastly, if neither exists, the least recently used causal-onlynode may be identified for removal. This example protocol can avoiddeleting event nodes 110 that may be considered more currently relevantthan other event nodes 110. When an event node 110 is added to thesystem event log 105, the last used indicators can be refreshed on allevent nodes 110 in the path from the new event node 110 to the rootevent node 110. Event nodes 110 that have not been linked in acause-effect relationship recently may be more likely to be lessimportant, or relevant, to this system event log 105 than event nodes110 that were recently linked to, thus having their last used indicatorrefreshed.

In block 560, the event logging module 130 may store to an archive anyevent nodes 110 that have been identified for removal to an archive. Inaddition to the event node identified for removal in previous steps, anyof that event node's parent nodes (all the way up to and including theroot) may also be identified for removal if they have same last usetimestamp of the identified event node. Where such a chain of eventnodes has been identified for removal, each of those event nodes mayfirst be stored to an archive. The archive storage 140 may be used tooffload storage of the system event log 105, entirely or in part, fromthe subject device 120 in the case of an overflow of the memory orstorage within the subject device 120, as a back-up mechanism, or anycombination thereof. Event nodes may be saved off to archive storage 140to provide additional space within the system event log 105.

In block 570, the event logging module 130 can remove the identifiedevent node 110 from the system event log 105. In addition to the eventnode identified for removal in previous steps, any of that event node'sparent nodes (all the way up to and including the root) may also beremoved if they have same last use timestamp of the identified eventnode. Removing the identified event node 110 may include disconnectingany causal linkages 310 between the identified event node 110 and otherevent nodes 110. Removing the identified event node 110 may includefreeing or releasing memory, structures, or objects associated with theidentified event node 110.

After block 570, the method 500 ends. Of course deleting event nodes 110from a system event log 105 may be continued through repeatedapplication of method 500.

FIG. 6 is a block flow diagram depicting a method 600 for providing auser interface to a system event log 105 in accordance with one or moreexample embodiments presented herein.

In block 610, the event logging module 130 can provide a textual userinterface to the system event log 105. An administrator may access thesystem event log 105 using a command line, terminal, or other suchinterface. The event logging module 130 can generate a textualrepresentation of the relevant system event nodes 110. The text eventnode messages that are generated may be appended with textualinformation that represents the cause and effect relationship path ofthe causal linkages 310 between the nodes. For example, each text eventnodes 110 may be appended with one or more unique identifier valuesindicating the event's identifier, and the identifiers indicating theparent events. The parent event identifiers may be indicated indescending order of cause-effect confidence (as determined by the numberof overlapping categories). The administrator could read back in timethrough the text representation of the events to see the cause andeffect linkage between the events.

In block 620, the event logging module 130 can provide searchable accessto the system event log 105. The search can bring up event nodes 110 andtheir associated causal linkages 310. The search may be done on variouskey words or characteristics from the system event log 105. The searchmay be performed for the textual access from block 610 or the return agraphical rendering of a tree portion.

In block 630, the event logging module 130 can render the system eventlog 105 (or a portion of it) graphically to illustrate tree-like eventrelationships. A portion of the system event log 105 may be provided inresponse to the search performed in block 620. An administrator canbrowse through the tree-like structures of the system event log 105 byclicking on parent or child event nodes 110. Also, the administrator cansearch through the event nodes 110 for text matches in the descriptionsor categories associated with the event nodes 110. When event nodes 110of interest are selected, that event node 110 may be highlighted andalso annotated with the information relating to that event node 110.

In block 640, the event logging module 130 can display a path from aselected event node 110 to a root event node 110. The event nodes 110between the selected event node 110 and the root node may also bedisplayed as a tree-like graph. This display can tell the story of thecause-effect relationship between the events related to the event nodes110 in the tree-like graph. This story can provide the administratorwith an easy to interpret history of events that led up to the creationof the selected event node 110.

In block 650, the event logging module 130 can display all possiblepaths for multi-path scenarios. Because there may be more than oneparent event nodes 110 associated with each node, multiple possiblecause-effect trees may be displayed.

In block 660, the event logging module 130 can provide visualization forlinkage correlation metric. The visual display of the tree-likestructures may be annotated with text describing the correlation metricor probability for each causal linkage 310. Also, the causal linkages310 may be color coded or rendered in different sizes to show theirrelative correlation metric values.

After block 660, the method 600 ends. Though, providing user interfacefunctionality to the system event log 105 may be continued throughrepeated application of method 600.

Example Systems

FIG. 7 depicts a computing machine 2000 and a module 2050 in accordancewith one or more example embodiments presented herein. The computingmachine 2000 may correspond to any of the various computers, servers,mobile devices, embedded systems, or computing systems presented herein.The module 2050 may comprise one or more hardware or software elementsconfigured to facilitate the computing machine 2000 in performing thevarious methods and processing functions presented herein. The computingmachine 2000 may include various internal or attached components such asa processor 2010, system bus 2020, system memory 2030, storage media2040, input/output interface 2060, and a network interface 2070 forcommunicating with a network 2080.

The computing machine 2000 may be implemented as a conventional computersystem, an embedded controller, a laptop, a server, a mobile device, asmartphone, a set-top box, a kiosk, a vehicular information system, onemore processors associated with a television, a customized machine, anyother hardware platform, or any combination or multiplicity thereof. Thecomputing machine 2000 may be a distributed system configured tofunction using multiple computing machines interconnected via a datanetwork or bus system.

The processor 2010 may be configured to execute code or instructions toperform the operations and functionality described herein, managerequest flow and address mappings, and to perform calculations andgenerate commands. The processor 2010 may be configured to monitor andcontrol the operation of the components in the computing machine 2000.The processor 2010 may be a general purpose processor, a processor core,a multiprocessor, a reconfigurable processor, a microcontroller, adigital signal processor (“DSP”), an application specific integratedcircuit (“ASIC”), a graphics processing unit (“GPU”), a fieldprogrammable gate array (“FPGA”), a programmable logic device (“PLD”), acontroller, a state machine, gated logic, discrete hardware components,any other processing unit, or any combination or multiplicity thereof.The processor 2010 may be a single processing unit, multiple processingunits, a single processing core, multiple processing cores, specialpurpose processing cores, co-processors, or any combination thereof.According to certain embodiments, the processor 2010 along with othercomponents of the computing machine 2000 may be a virtualized computingmachine executing within one or more other computing machines.

The system memory 2030 may include non-volatile memories such asread-only memory (“ROM”), programmable read-only memory (“PROM”),erasable programmable read-only memory (“EPROM”), flash memory, or anyother device capable of storing program instructions or data with orwithout applied power. The system memory 2030 also may include volatilememories, such as random access memory (“RAM”), static random accessmemory (“SRAM”), dynamic random access memory (“DRAM”), and synchronousdynamic random access memory (“SDRAM”). Other types of RAM also may beused to implement the system memory 2030. The system memory 2030 may beimplemented using a single memory module or multiple memory modules.While the system memory 2030 is depicted as being part of the computingmachine 2000, one skilled in the art will recognize that the systemmemory 2030 may be separate from the computing machine 2000 withoutdeparting from the scope of the subject technology. It should also beappreciated that the system memory 2030 may include, or operate inconjunction with, a non-volatile storage device such as the storagemedia 2040.

The storage media 2040 may include a hard disk, a floppy disk, a compactdisc read only memory (“CD-ROM”), a digital versatile disc (“DVD”), aBlu-ray disc, a magnetic tape, a flash memory, other non-volatile memorydevice, a solid state drive (“SSD”), any magnetic storage device, anyoptical storage device, any electrical storage device, any semiconductorstorage device, any physical-based storage device, any other datastorage device, or any combination or multiplicity thereof. The storagemedia 2040 may store one or more operating systems, application programsand program modules such as module 2050, data, or any other information.The storage media 2040 may be part of, or connected to, the computingmachine 2000. The storage media 2040 may also be part of one or moreother computing machines that are in communication with the computingmachine 2000 such as servers, database servers, cloud storage, networkattached storage, and so forth.

The module 2050 may comprise one or more hardware or software elementsconfigured to facilitate the computing machine 2000 with performing thevarious methods and processing functions presented herein. The module2050 may include one or more sequences of instructions stored assoftware or firmware in association with the system memory 2030, thestorage media 2040, or both. The storage media 2040 may thereforerepresent examples of machine or computer readable media on whichinstructions or code may be stored for execution by the processor 2010.Machine or computer readable media may generally refer to any medium ormedia used to provide instructions to the processor 2010. Such machineor computer readable media associated with the module 2050 may comprisea computer software product. It should be appreciated that a computersoftware product comprising the module 2050 may also be associated withone or more processes or methods for delivering the module 2050 to thecomputing machine 2000 via the network 2080, any signal-bearing medium,or any other communication or delivery technology. The module 2050 mayalso comprise hardware circuits or information for configuring hardwarecircuits such as microcode or configuration information for an FPGA orother PLD.

The input/output (“I/O”) interface 2060 may be configured to couple toone or more external devices, to receive data from the one or moreexternal devices, and to send data to the one or more external devices.Such external devices along with the various internal devices may alsobe known as peripheral devices. The I/O interface 2060 may include bothelectrical and physical connections for operably coupling the variousperipheral devices to the computing machine 2000 or the processor 2010.The I/O interface 2060 may be configured to communicate data, addresses,and control signals between the peripheral devices, the computingmachine 2000, or the processor 2010. The I/O interface 2060 may beconfigured to implement any standard interface, such as small computersystem interface (“SCSI”), serial-attached SCSI (“SAS”), fiber channel,peripheral component interconnect (“PCP”), PCI express (PCIe), serialbus, parallel bus, advanced technology attached (“ATA”), serial ATA(“SATA”), universal serial bus (“USB”), Thunderbolt, FireWire, variousvideo buses, and the like. The I/O interface 2060 may be configured toimplement only one interface or bus technology. Alternatively, the I/Ointerface 2060 may be configured to implement multiple interfaces or bustechnologies. The I/O interface 2060 may be configured as part of, allof, or to operate in conjunction with, the system bus 2020. The I/Ointerface 2060 may include one or more buffers for bufferingtransmissions between one or more external devices, internal devices,the computing machine 2000, or the processor 2010.

The I/O interface 2060 may couple the computing machine 2000 to variousinput devices including mice, touch-screens, scanners, biometricreaders, electronic digitizers, sensors, receivers, touchpads,trackballs, cameras, microphones, keyboards, any other pointing devices,or any combinations thereof. The I/O interface 2060 may couple thecomputing machine 2000 to various output devices including videodisplays, speakers, printers, projectors, tactile feedback devices,automation control, robotic components, actuators, motors, fans,solenoids, valves, pumps, transmitters, signal emitters, lights, and soforth.

The computing machine 2000 may operate in a networked environment usinglogical connections through the network interface 2070 to one or moreother systems or computing machines across the network 2080. The network2080 may include wide area networks (WAN), local area networks (LAN),intranets, the Internet, wireless access networks, wired networks,mobile networks, telephone networks, optical networks, or combinationsthereof. The network 2080 may be packet switched, circuit switched, ofany topology, and may use any communication protocol. Communicationlinks within the network 2080 may involve various digital or an analogcommunication media such as fiber optic cables, free-space optics,waveguides, electrical conductors, wireless links, antennas,radio-frequency communications, and so forth.

The processor 2010 may be connected to the other elements of thecomputing machine 2000 or the various peripherals discussed hereinthrough the system bus 2020. It should be appreciated that the systembus 2020 may be within the processor 2010, outside the processor 2010,or both. According to some embodiments, any of the processor 2010, theother elements of the computing machine 2000, or the various peripheralsdiscussed herein may be integrated into a single device such as a systemon chip (“SOC”), system on package (“SOP”), or ASIC device.

In situations in which the systems discussed here collect personalinformation about users, or may make use of personal information, theusers may be provided with a opportunity to control whether programs orfeatures collect user information (e.g., information about a user'ssocial network, social actions or activities, profession, a user'spreferences, or a user's current location), or to control whether and/orhow to receive content from the content server that may be more relevantto the user. In addition, certain data may be treated in one or moreways before it is stored or used, so that personally identifiableinformation is removed. For example, a user's identity may be treated sothat no personally identifiable information can be determined for theuser, or a user's geographic location may be generalized where locationinformation is obtained (such as to a city, ZIP code, or state level),so that a particular location of a user cannot be determined. Thus, theuser may have control over how information is collected about the userand used by a content server.

One or more aspects of the example embodiments may comprise a computerprogram that embodies the functions described and illustrated herein,wherein the computer program is implemented in a computer system thatcomprises instructions stored in a machine-readable medium and aprocessor that executes the instructions. However, it should be apparentthat there could be many different ways of implementing embodiments incomputer programming, and the invention should not be construed aslimited to any one set of computer program instructions. Further, askilled programmer would be able to write such a computer program toimplement an embodiment of the disclosed invention based on the appendedflow charts and associated description in the application text.Therefore, disclosure of a particular set of program code instructionsis not considered necessary for an adequate understanding of how to makeand use the invention. Further, those skilled in the art will appreciatethat one or more aspects of the invention described herein may beperformed by hardware, software, or a combination thereof, as may beembodied in one or more computing systems. Moreover, any reference to anact being performed by a computer should not be construed as beingperformed by a single computer as more than one computer may perform theact.

The example embodiments described herein can be used with computerhardware and software that perform the methods and processing functionsdescribed herein. The systems, methods, and procedures described hereincan be embodied in a programmable computer, computer-executablesoftware, or digital circuitry. The software can be stored oncomputer-readable media. For example, computer-readable media caninclude a floppy disk, RAM, ROM, hard disk, removable media, flashmemory, memory stick, optical media, magneto-optical media, CD-ROM, etc.Digital circuitry can include integrated circuits, gate arrays, buildingblock logic, field programmable gate arrays (FPGA), etc.

The example systems, methods, and acts described in the exampleembodiments presented previously are illustrative, and, in alternativeembodiments, certain acts can be performed in a different order, inparallel with one another, omitted entirely, and/or combined betweendifferent example embodiments, and/or certain additional acts can beperformed, without departing from the scope and spirit of embodiments ofthe invention. Accordingly, such alternative embodiments are included inthe invention claimed herein.

Although specific embodiments have been described above in detail, thedescription is merely for purposes of illustration. It should beappreciated, therefore, that many aspects described above are notintended as required or essential elements unless explicitly statedotherwise. Modifications of, and equivalent components or actscorresponding to, the disclosed aspects of the example embodiments, inaddition to those described above, can be made by a person of ordinaryskill in the art, having the benefit of the present disclosure, withoutdeparting from the spirit and scope of the invention defined in thefollowing claims, the scope of which is to be accorded the broadestinterpretation so as to encompass such modifications and equivalentstructures.

What is claimed is:
 1. A computer-implemented method for correlatingevents in a network, the method comprising: at each subject device inthe network, receiving a set of network packets, the set of networkpackets including characteristics indicative of an event; correlatingthe set of network packets to identify at least one characteristicassociated with the event; creating an event including the at least onecharacteristic; sending, from each subject device, a copy of the eventto the network-connected administration machine; receiving a pluralityof events at the network-connected administrator machine, each eventcoming from a subject device; storing the plurality of events in astorage device associated with the administrator machine; receiving anevent from the plurality of events indicative of a problem affecting atleast one subject device; correlating a subset of the plurality ofevents, including the received event, to create a set of correlatedevents, the correlated events including at least two temporally andcausally related events; displaying, via a graphical user interface,information from the correlated events, a description of one or moreevents from the correlated events, and an identified cause of theproblem; and displaying, via the graphical user interface, informationfrom the correlated events as a temporally and causally-related log. 2.The computer-implemented method of claim 1, wherein displaying, via thegraphical user interface, the identified cause of the problem includes adescription of the problem.
 3. The computer-implemented method of claim1, wherein at least two events of the plurality of events are associatedwith a category.
 4. The computer-implemented method of claim 3, whereinthe events having the same category are correlated together.
 5. Thecomputer-implemented method of claim 1, wherein one or more events arecorrelated based on a username.
 6. The computer-implemented method ofclaim 1, further comprising receiving a click on a rendering of theproblem, and responsive to the click, rendering a portion of eventscorrelated to the problem via the graphical user interface.
 7. A systemfor identification of errors affecting a network, the system comprising:one or more processors; and one or more non-transitory computer-readablemedia storing computer-executable instructions that, when executed bythe one or more processors, cause the one or more processors to: receivea set of network packets, the set of network packets includingcharacteristics indicative of an event; correlate the set of networkpackets to identify at least one characteristic associated with theevent; create an event, the event including the at least onecharacteristic; receive a plurality of events, each event coming from asubject device; store the plurality of events in a network-connectedstorage facility; identify an error relating to at least one subjectdevice; correlate a subset of events from the plurality of events tocreate a set of correlated events, wherein collecting the subset ofevents includes identifying both a causal relationship between at leasttwo events and a temporal relationship between two events; render, via agraphical user interface, at least a portion of information from thecorrelated events as a tree-like structure; display, via the graphicuser interface, at least a portion of the information from thecorrelated events as a temporally and causally-related log; and display,via the graphical user interface, a problem identified as a root causeof the error.
 8. The system of claim 7, wherein displaying an eventidentified as a root cause of the error includes a description of theproblem causing the error.
 9. The system of claim 7, wherein at leasttwo events of the plurality of events are associated with a category.10. The system of claim 9, wherein the events having the same categoryare correlated together.
 11. The system of claim 7, wherein one or moreevents are correlated based on a username.
 12. The system of claim 7,wherein the graphical user interface is operable to receive a click on arendering of the problem, and responsive to the click, rendering aportion of events correlated to the problem via the graphical userinterface.
 13. One or more tangible computer readable storage mediaencoded with software comprising computer executable instructions thatwhen executed are operable to: at each subject device in a network,receive a set of network packets, the set of network packets includingcharacteristics indicative of an event; correlate the set of networkpackets to identify at least one characteristic associated with theevent; create an event including the at least one characteristic;correlate subset of events from a plurality of events that areindicative of a problem affecting at least one subject device, whereincorrelate the subset of events includes identify both a causalrelationship between at least two events and a temporal relationshipbetween two events; render, via a graphical user interface, at least aportion of information from the plurality of event logs as a tree-likestructure; display, via the graphical user interface, at least a portionof the information from the correlated events as a temporally andcausally-related log; and display, via the graphical user interface, aproblem identified as a root cause of the problem.
 14. The computerexecutable instructions of claim 13, wherein the instructions thatdisplay, via the graphical user interface, an event identified as a rootcause of the problem further include a description of the problem. 15.The computer executable instructions of claim 13, wherein the problemhas a category.
 16. The computer executable instructions of claim 15,wherein the problem is one of a plurality of problems, and theinstructions are further operable to correlate problems having the samecategory together.
 17. The computer executable instructions of claim 13,wherein the computer executable instructions are operable to correlateone or more events are based on a username.
 18. The computer executableinstructions of claim 13, wherein the computer executable instructionsare operable to receive a click on a rendering of a problem, andresponsive to the click, render a portion of the logs relating to theproblem via the graphical user interface.